-13- 
CLAIMS 



DE920000032US1 



11. A security system for controlling access to one or more 

2 application functions located on a server or accessible 

3 via server, each application function having an 

4 associated security level, wherein one or more clients 

5 communicate with said server by means of requests for 

6 accessing one of said application functions using a 

7 network, wherein access to said application functions is 

8 controlled by security requirements, comprising: 

9 an authentication component functionally separated from 
Itl said clients and said application functions for 

ifi; processing said client request independently of said 

lif client type, containing more than one authentication 

IM mechanisms and selecting and executing an authentication 

l|;J mechanism from said more than one authentication 

15., mechanisms based on the information contained in the 

client request resulting in a security state; 

Ifl 

Ip;- a security component containing a security policy 

19 describing security requirements (security level) for 

20 accessing application functions, comparing said security 

21 state associated with said client with the security level 

22 of the application function and allowing access to the 

23 application function if the security state fulfills the 

24 security level. 

12. A system according to claim 1, wherein said clients are 
2 PVC-devices. 
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A system according to claim 1, wherein said 
authentication component and said security component are 
integrated in one component stored on a server, 

A system according to claim 1, whereby said 
authentication component consists of security plug- ins 
whereby each authentication mechanism is laid down in a 
separate security plug- in. 

A system according to claim 4, whereby the authentication 
mechansim may be UserlD/Password, Challenge/Response or 
digital signature . 

A system according to 2 further comprising: 

a component (ADL) for converting PVC-device specific 
requests into canonical requests before said request is 
used by said authentication component. 

A method for controlling access to one or more 
application functions stored on a server or accessible 
via server, each application function having an 
associated security level, wherein one or more clients 
communicate with said server by means of requests for 
accessing one of said application functions using a 
network, whereby access to said application functions is 
controlled by a security requirements, comprising the 
steps of: 

routing all incoming requests created by said clients to 
an authentication component which is functionally 
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12 independent from said clients and said application 

13 functions, said authentication component comprising the 

14 steps of: 

15 authentication of said client by determining an 

16 authentication mechanism provided by said authentication 

17 component by means of authentication information 

18 contained in said request and applying said 

19 authentication mechanism; 

20 storing a result of said authentication and said 

21 authentication information or parts of it contained in 
Th\ said request as a security state; 

2i 

7^ using security requirements for said one of said 

2^1 application functions to be accessed; 

26 comparing said stored security state with said security 

2i| requirements for accessing the requested application 

2Sii function ; and 

29 invoking said requested application function if said 

30 security state fulfills said security requirements. 



18. A method according to claim 7 wherein said incoming 
2 requests are canonical requests. 

19. A method according to claim 8 wherein said canonical 

2 requests are created by a Device Adaptation Layer which 

3 converts client specific requests into canonical 

4 requests. 
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A method according to claim 7 comprising the further 
steps of: 

creating a session identifier when establishing a 
communication between a client and a server and using 
said session identifier in all requests and responses 
between said client and said server. 

A method according to claim 10 whereby said session 
identifier and said security state are placed in a 
cookie, whereby said cookie is inserted into each 
request and response between said client and said server, 

A method according to claim 7 wherein said clients are 
PVC-devices , 

A computer program comprising computer program code 
portions for performing respective steps of the method 
according to claim 7 to 12 when the program is executed 
in a computer. 

A computer program product stored on a computer- readable 
media containing software code for performing of the 
method according to one of the claim 7 to 12 if the 
program product is executed on the computer. 

A client- server system, wherein one or more clients, 
having client types, communicate with a server by means 
of requests for accessing application functions located 
on or accessible via said server, wherein access to said 
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5 application functions is controlled by a security system 

6 located on said server, wherein said security system 

7 comprises: 

8 an authentication component, functionally separated from 

9 said one or more clients and said application functions 

10 for processing client requests independently of client 

11 type, containing one or more authentication mechanisms 

12 and selecting and executing an authentication mechanism 

13 from said authentication mechanisms based on the 

14 information contained in the client request, resulting in 

15 a security state; 
Ifo 

11? a security component containing a security policy 

18' describing security requirements (security level) for 

Iftj accessing application functions, comparing said security 

state associated to a client with the security level of 

2|^.^ the application function and allowing access to the 

2ft| specified application function if the security state 

2|| fulfills the security level. 



